1. Field of the Invention
The present invention relates generally to computer security, and more particularly but not exclusively to methods and apparatus for detecting computer attacks.
2. Description of the Background Art
Cross-site request forgery (“CSRF”) is a type of computer attack where unauthorized transmissions are sent from a user computer to access websites that trust the user. The transmissions resulting from a CSRF attack are “unauthorized” in that the user has not authorized or initiated the transmissions and is not even aware that the transmissions were sent out from his computer. The unauthorized transmissions may involve unauthorized access of a user's online account. FIG. 1 shows a flow diagram schematically illustrating an example CSRF attack.
A CSRF attack may begin with a hacker or other malicious individual introducing CSRF code in a legitimate website 170 that the user visits (arrow 161). The CSRF code may comprise computer-readable program code that automatically performs unauthorized access of an online account upon receipt and execution in the victim user computer. A user employing a web browser 173 may request a web page from the website 170 (arrow 162). In response, the website provides the web page (arrow 163), which may include the CSRF code. When the CSRF code is received and executed in the user's computer, the CSRF code sends unauthorized transmissions to access the user's online account in the website 171 (arrow 164). For example, the CSRF code may comprise the following script:
<Img src=http://somebank.com/transferfunds.asp?amnt=10000&acc=someone>
where “somebank.com” is the domain of the website 171. If the user keeps authentication information for the website 171 in a cookie, and if the cookie has not expired, the script will transfer funds out of the user's account without the user's approval when the script is executed in the user's computer.
A popular technique of guarding user computers from websites that contain malicious codes is to consult a web reputation service. The web reputation service maintains a database of malicious websites. The use of a web reputation service, however, is ineffective against CSRF attacks because the website serving the CSRF code is typically a legitimate website. Also, a typical web reputation service cannot provide real-time protection from CSRF attacks because it is difficult to update a reputation database fast enough to include newly compromised websites.